THE ‘ICEFOG’ APT: A TALE OF CLOAK AND THREE DAGGERS

2013-09-25 Kaspersky

https://media.kasperskycontenthub.com/wp-content/uploads/sites/58/2013/09/21182446/icefog.pdf

Attachments

icefog.pdf (5 MB)

Thumbnail for THE ‘ICEFOG’ APT: A TALE OF CLOAK AND THREE DAGGERS

Kaspersky describes Icefog as an interactive APT backdoor set active since at least 2011, targeting mostly Japan and South Korea across government, military contractor, maritime, shipbuilding, telecom, industrial, high-tech, and media organizations. The campaign used spear-phishing with Microsoft Office exploits, Java exploit links, WinHelp abuse, and HWP vectors to deploy Icefog/Fucobha malware. Operators controlled infected systems manually rather than relying on automatic exfiltration, uploading additional backdoors and lateral-movement tools as needed to collect data from live victim environments. The report documents command-and-control infrastructure, infection statistics, attribution discussion, mitigation guidance, and IOCs for both Windows and Mac OS X variants.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN sohu.com 2013-09-25 2021-03-23
DOMAIN iiswan.com 2013-09-25 2017-07-03
DOMAIN minihouse.website.iiswan.com 2013-09-25 2017-07-03
DOMAIN starwings.net 2013-09-25 2017-07-03
DOMAIN esdlin.com 2013-09-25 2017-07-03
HASH 9de808b3147ec72468a5aec4b2c38c20 2013-09-25 2013-09-25
HASH 162b349be9c6d11c58cf163e211d891c 2013-09-25 2013-09-25
HASH 00c3d59a83c3745498b75fd9d1067b4c 2013-09-25 2013-09-25
HASH f46eb126668dfc843a05958e71936b01 2013-09-25 2013-09-25
HASH d6c90955c6f2a346c9c91be82a1f9d8c 2013-09-25 2013-09-25
HASH 4482fd69a07ab15d9a9d3b3819d048be 2013-09-25 2013-09-25
HASH 2a106c694660891e0950493e3eedc42d 2013-09-25 2013-09-25
HASH 566b175ab355e6313ba0ca98b0146d84 2013-09-25 2013-09-25
HASH fba7b9ffd08110e37d2bdf77c0d8b806 2013-09-25 2013-09-25
HASH f4ced221baf2a482e60baf374ab063be 2013-09-25 2013-09-25
HASH 80405f5681f1e4f2de6e8c26ec20c14d 2013-09-25 2013-09-25
HASH 9a64277e40e3db8659d359126c840897 2013-09-25 2013-09-25
HASH be043b0d1337f85cfd05f786eaf4f942 2013-09-25 2013-09-25
HASH 24751030c1fa40bd57988d4e6fe70117 2013-09-25 2013-09-25
HASH 78d9ac9954516ac096992cf654caa1fc 2013-09-25 2013-09-25
HASH b1241cd7a0d7d58d1182badd0adba8ab 2013-09-25 2013-09-25
HASH 15a342cf2cc4fc5ae933d463f5d2196f 2013-09-25 2013-09-25
HASH 3a6feab7eb90b87cf5a4e08bce2572e8 2013-09-25 2013-09-25
HASH b8bed65865ddecbd22efff0970b97321 2013-09-25 2013-09-25
HASH c352c376968e8a1157fa425431776797 2013-09-25 2013-09-25
HASH 363bcf8bbf8ae7def65adcec0a755d45 2013-09-25 2013-09-25
HASH b21635b1b1fce93ff917d9308d4835fb 2013-09-25 2013-09-25
HASH 5aaa057d3447a214e729276563d2f922 2013-09-25 2013-09-25
HASH 336de9428650c46b64ff699ab4a441bb 2013-09-25 2013-09-25
HASH ff27ebb3696e075e339195a2833caa47 2013-09-25 2013-09-25
HASH 387ae1e56fa48ec50a46394cc51acce7 2013-09-25 2013-09-25
HASH 61ed85d28eb18b13223e033a01cb5c05 2013-09-25 2013-09-25
HASH d22ab2a2f9e4763a35eb7c6db144d3d4 2013-09-25 2013-09-25
HASH 6d3d95137ef1ba5c6e15a4a95de8a546 2013-09-25 2013-09-25
HASH 126c6b7f5be186fd48bb975f7e59385e 2013-09-25 2013-09-25
HASH cd85a9a05538e89190d519703c9a1327 2013-09-25 2013-09-25
HASH 43678aa052ad677841bd2ef532ecd284 2013-09-25 2013-09-25
HASH cf1815491d41202eb8647341a8695e1e 2013-09-25 2013-09-25
HASH 324d26f4fb7a91b8019c19e6a0318400 2013-09-25 2013-09-25
HASH 120f9ed8431a24c14b60003260930c37 2013-09-25 2013-09-25
HASH 0e2694aea9d3de122611d88e37ffc7f0 2013-09-25 2013-09-25
HASH 2761c55bafa96d5814e847b665006e49 2013-09-25 2013-09-25
HASH ffef41bd67de8806ac2d0e10a3cab3c2 2013-09-25 2013-09-25
HASH f7547f23bd2fd37b7d44e8617f629b49 2013-09-25 2013-09-25
HASH 219738275b9dfbef6be8b65473833e45 2013-09-25 2013-09-25
HASH a72d3774d2d97a7eeb164c6c5768f52a 2013-09-25 2013-09-25
HASH 0b28d3cc9e89ffe53dbb50f739fcb6e3 2013-09-25 2013-09-25
HASH 9d3d8504cd488acaa731cfdd48fe5851 2013-09-25 2013-09-25
HASH d53cec579c7b3b3e0f77cd64e0c58bbf 2013-09-25 2013-09-25
HASH beb9da03aff9386599625199a5a47b8d 2013-09-25 2013-09-25
HASH d544a65f0148e59ceca38c579533d040 2013-09-25 2013-09-25
HASH 392f5372ba3348ea1820df34c078f6c8 2013-09-25 2013-09-25
HASH 7ec89be945add54aa67009dbc12a9260 2013-09-25 2013-09-25
HASH 43edcbd20bb5fec2c2d36e7c01d49fc7 2013-09-25 2013-09-25
HASH 3ce3e49e0e31e69b2aabcb3d7569a63c 2013-09-25 2013-09-25
HASH 32e8d4b2f08aff883c8016b7ebd7c85b 2013-09-25 2013-09-25
HASH 5f1344d8375b449f77d4d8ecfcdeda9a 2013-09-25 2013-09-25
HASH acc57cc72a8d129703b4914c408a15a1 2013-09-25 2013-09-25
HASH 8f816f4acc49f5ebba00d92437b42e85 2013-09-25 2013-09-25
HASH c5f3d21cb19a4b2d03aa42e4bf43b79b 2013-09-25 2013-09-25
HASH aa97368c43171a5c93c57327d5da04cf 2013-09-25 2013-09-25
HASH eb4579f08cd270e496c70ddcaa29dacb 2013-09-25 2013-09-25
HASH bf13ccb777f7175ecd567e757abcb0e4 2013-09-25 2013-09-25
HASH 31a530fea411455b8844fe019ffb66cd 2013-09-25 2013-09-25
HASH d421e0d74fa7035246c1ea51bd4d3114 2013-09-25 2013-09-25
HASH 9f422bb6c00bb46fbfa3918ae3e9447a 2013-09-25 2013-09-25
HASH 2d6a82fdb59e38d63027beac28dc2813 2013-09-25 2013-09-25
HASH 853096b7e1e4bdb9221875c30d9a15a0 2013-09-25 2013-09-25
HASH fa452f67c6bf8056b563690d61c4a4c6 2013-09-25 2013-09-25
HASH 95ee545a6562a81c3e049a48c5b9f8aa 2013-09-25 2013-09-25
EMAIL [email protected] 2013-09-25 2013-09-25
EMAIL [email protected] 2013-09-25 2013-09-25
EMAIL [email protected] 2013-09-25 2013-09-25
EMAIL [email protected] 2013-09-25 2013-09-25
EMAIL [email protected] 2013-09-25 2013-09-25
EMAIL [email protected] 2013-09-25 2013-09-25
URL http://appst0re.net/upload.aspx… 2013-09-25 2013-09-25
URL http://www.img2icnsapp.com/ 2013-09-25 2013-09-25
URL http://appst0re.net/upload 2013-09-25 2013-09-25
URL http://reversemode.com/index2.p… 2013-09-25 2013-09-25
URL http://bbs.pcbeta.com/forum.php… 2013-09-25 2013-09-25
URL http://appst0re.net 2013-09-25 2013-09-25
DOMAIN kakujae.com 2013-09-25 2013-09-25
DOMAIN nk-kotii.com 2013-09-25 2013-09-25
DOMAIN bigbombnews.com 2013-09-25 2013-09-25
DOMAIN chinauswatch.net 2013-09-25 2013-09-25
DOMAIN agorajpweb.com 2013-09-25 2013-09-25
DOMAIN kreamnnd.com 2013-09-25 2013-09-25
DOMAIN setchon.com 2013-09-25 2013-09-25
DOMAIN war3players.com 2013-09-25 2013-09-25
DOMAIN gamestar2.net 2013-09-25 2013-09-25
DOMAIN krentertainly.net 2013-09-25 2013-09-25
DOMAIN appst0re.net 2013-09-25 2013-09-25
DOMAIN twittle.org 2013-09-25 2013-09-25
DOMAIN pinganw.org 2013-09-25 2013-09-25
DOMAIN newsceekjp.com 2013-09-25 2013-09-25
DOMAIN dosaninfracore.com 2013-09-25 2013-09-25
DOMAIN dashope.net 2013-09-25 2013-09-25
DOMAIN koreanmofee.com 2013-09-25 2013-09-25
DOMAIN dabolloth.com 2013-09-25 2013-09-25
DOMAIN kevinsw.net 2013-09-25 2013-09-25
DOMAIN yahoowebnews.com 2013-09-25 2013-09-25
DOMAIN daxituzi.net 2013-09-25 2013-09-25
DOMAIN cloudsbit.com 2013-09-25 2013-09-25
DOMAIN kechospital.com 2013-09-25 2013-09-25
DOMAIN electk.net 2013-09-25 2013-09-25
DOMAIN womenewes.com 2013-09-25 2013-09-25
DOMAIN sejoung.org 2013-09-25 2013-09-25
DOMAIN basic.net 2013-09-25 2013-09-25
DOMAIN dancewall228.com 2013-09-25 2013-09-25
DOMAIN cnnpolicy.com 2013-09-25 2013-09-25
DOMAIN spekosoft.com 2013-09-25 2013-09-25
DOMAIN 625tongyi.com 2013-09-25 2013-09-25
DOMAIN samyongonc.com 2013-09-25 2013-09-25
DOMAIN kansenshu.com 2013-09-25 2013-09-25
DOMAIN 9-joy.net 2013-09-25 2013-09-25
DOMAIN zhpedu.org 2013-09-25 2013-09-25
DOMAIN unikorean.com 2013-09-25 2013-09-25
DOMAIN widestar.net 2013-09-25 2013-09-25
DOMAIN ppxxcc.org 2013-09-25 2013-09-25
DOMAIN mashuisi.net 2013-09-25 2013-09-25
DOMAIN dotaplayers.com 2013-09-25 2013-09-25
DOMAIN infostaition.com 2013-09-25 2013-09-25
DOMAIN namoon-tistory.com 2013-09-25 2013-09-25
DOMAIN globalwebnews.net 2013-09-25 2013-09-25
DOMAIN avatime.net 2013-09-25 2013-09-25
DOMAIN skynet121.net 2013-09-25 2013-09-25
DOMAIN tokyoyan.net 2013-09-25 2013-09-25
DOMAIN shinebay.net 2013-09-25 2013-09-25
DOMAIN sejonng.org 2013-09-25 2013-09-25
DOMAIN securimalware.net 2013-09-25 2013-09-25
DOMAIN money.cnnpolicy.com 2013-09-25 2013-09-25
DOMAIN msvistastar.com 2013-09-25 2013-09-25
DOMAIN gangstyleobs.com 2013-09-25 2013-09-25
DOMAIN kimjeayun.com 2013-09-25 2013-09-25
DOMAIN mudain.net 2013-09-25 2013-09-25
DOMAIN lexdesign152.net 2013-09-25 2013-09-25
DOMAIN disneyland.website.iiswan.com 2013-09-25 2013-09-25
DOMAIN defenseasia.net 2013-09-25 2013-09-25
DOMAIN pasakosoft.net 2013-09-25 2013-09-25
DOMAIN bbs.pcbeta.com 2013-09-25 2013-09-25
IPv4 211.42.249.39 2013-09-25 2013-09-25
IPv4 103.246.245.130 2013-09-25 2013-09-25
IPv4 199.192.154.124 2013-09-25 2013-09-25
IPv4 110.45.203.152 2013-09-25 2013-09-25
IPv4 113.10.136.228 2013-09-25 2013-09-25
IPv4 95.211.172.143 2013-09-25 2013-09-25
IPv4 27.255.71.204 2013-09-25 2013-09-25
IPv4 122.10.87.252 2013-09-25 2013-09-25
« Back